diff options
| author | Martin Kosek <mkosek@redhat.com> | 2015-01-13 18:09:17 +0100 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2015-01-19 16:49:27 +0100 |
| commit | 6652c4eb2ebece71b6d60001246bd0fee5909099 (patch) | |
| tree | 4bd5a7e2753ddf721b7bb785582c7ca8b946463b /ACI.txt | |
| parent | 5672eb14def7b2010f1d08825eec58ff1444073f (diff) | |
| download | freeipa-6652c4eb2ebece71b6d60001246bd0fee5909099.tar.gz freeipa-6652c4eb2ebece71b6d60001246bd0fee5909099.tar.xz freeipa-6652c4eb2ebece71b6d60001246bd0fee5909099.zip | |
Allow PassSync user to locate and update NT users
Add new PassSync Service privilege that have sufficient access to
let AD PassSync service search for NT users and update the password.
To make sure existing PassSync user keeps working, it is added as
a member of the new privilege.
New update plugin is added to add link to the new privilege to the
potentially existing PassSync user to avoid breaking the PassSync
service.
https://fedorahosted.org/freeipa/ticket/4837
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'ACI.txt')
| -rw-r--r-- | ACI.txt | 2 |
1 files changed, 2 insertions, 0 deletions
@@ -269,6 +269,8 @@ aci: (targetattr = "krblastadminunlock || krblastfailedauth || krblastpwdchange dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetattr = "memberof")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Membership";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=users,cn=accounts,dc=ipa,dc=example +aci: (targetattr = "ntuniqueid || ntuseracctexpires || ntusercodepage || ntuserdeleteaccount || ntuserdomainid || ntuserlastlogoff || ntuserlastlogon")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User NT Attributes";allow (compare,read,search) groupdn = "ldap:///cn=System: Read User NT Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || displayname || entryusn || gecos || gidnumber || givenname || homedirectory || initials || ipantsecurityidentifier || loginshell || manager || modifytimestamp || objectclass || sn || title || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Standard Attributes";allow (compare,read,search) userdn = "ldap:///anyone";) dn: dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || entryusn || gecos || gidnumber || homedirectory || loginshell || modifytimestamp || objectclass || uid || uidnumber")(target = "ldap:///cn=users,cn=*,cn=views,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read User Views Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";) |